[wp-hackers] Should password hashing portability be configurable?

Otto otto at ottodestruct.com
Wed Nov 7 19:24:06 UTC 2012

Yes, that said, bcrypt was indeed intentionally designed to be
slow-as-heck for hashing, so it would be more secure in theory. I have
my doubts about that in practice. Modern GPU based crackers are

Since we're on 5.3 and up now, it does make sense to remove the "true"
from those functions, since every PHP 5.3 should have bcrypt in it.
Might be worth making a core ticket for it instead of a plugin.


On Wed, Nov 7, 2012 at 1:22 PM, Harry Metcalfe <harry at dxw.com> wrote:
>> The underlying cryptographic hash function is pretty much
>> irrelevant to the concept of password storage.
> As far as choosing between MD5/SHA256/similar, I agree. But bcrypt is
> different.
>> Unless the hash algorithm is extremely slow, [...]
> This is exactly the point. bcrypt is, by design, very slow. And it can be
> adjusted to make it slower as computing power becomes cheaper. More:
> http://en.wikipedia.org/wiki/Bcrypt
> http://codahale.com/how-to-safely-store-a-password/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list